FERC Order 2222


Ensuring the Cybersecurity of Cloud Solutions

According to RightScale’s 2016 State of the Cloud Report, 97 percent of enterprises have a cloud strategy. In the energy industry, many companies are turning to Cloud-based, Software-as-a-Service (SaaS) solutions to manage everything from Energy Trading software to Conservation Voltage Reduction (CVR). While these solutions afford many benefits including easy deployment, increased efficiency, and added cost savings, they can also expose your organization to increased security risks without proper execution.

The options available to you in the SaaS market are seemingly endless. As everyone from startups to big conglomerates fight to carve out their piece of the pie, it is now more important than ever to pick a vendor you can truly trust with the security of your data. Here are some things you should consider before purchasing a cloud-based system:

Operational Risk and Mitigation
Operational risk associated with moving to the cloud depends on your company’s unique circumstances. Making the decision to invest in a cloud-based solution involves the consideration of a number of threats and vulnerabilities, along with the impact/likelihood of each. This allows you to identify operational risks and mitigation tactics such as:

The examples provided here are just an illustration of what you can identify as key operational risks and associated mitigation. Conducting your own independent risk assessment helps identify what is really important, so you can choose the right vendor to meet your needs.

Vendor Management
The now infamous hack of Target Corporation brought cyber supply chain security to the foreground. Most organizations understand that moving to a SaaS solution increases the potential attack surface, but far fewer may realize that the supply chain attack surface may increase beyond the chosen vendor. A key question to ask is whether the vendor you’re considering controls the whole cloud stack in-house, or do they outsource?

A “cloud stack” refers to three distinct layers that can be provided as an independent service:  Infrastructure-as-a-Service, Platform-as-a-Service, and Software-as-a-Service. It is possible for you to choose a SaaS that uses one or more separate vendors to perform infrastructure and platform services. To keep the supply chain attack surface as small as possible, it is in your best interest to select a vendor who controls the entire stack. Having a single vendor responsible for all three aspects helps ensure you don’t miss hidden vulnerabilities.

Native to Energy
Choose a vendor that knows your business and, if possible, specializes in your industry. Having a vendor who understands all aspects of your business and keeps up with industry regulations is extremely beneficial. The energy market is OATI’s niche, and we understand this segment better than any other vendor in the market.

Security is a Two-Way Street
Even the most secure vendor’s efforts will be in vain if your security is not up to par. At the end of the day, a vulnerability is a vulnerability no matter where it resides. Make sure you are implementing the same security practices you expect a vendor to adhere to.

Cloud-based, Software-as-a-Service solutions are a great option for companies large and small to increase efficiency and realized increased revenue — as long as you keep your organizations cybersecurity a priority. If you ask the right questions, you can be confident that you’ll find a quality vendor that shares your vision.

About the author:
Jerrod Montoya is an innovative security expert who focuses on the intersection of the law, technology, and cybersecurity. In his role as Security and Compliance Counsel at OATI, he provides counsel on legal, policy, regulatory, and strategic matters. He also manages several internal cybersecurity related initiatives and provides project management support for new projects in OATI’s rapidly expanding Smart Grid area. He is President of the InfraGard Minnesota Members Alliance, an FBI-sponsored nonprofit that fosters critical infrastructure security through public/private collaboration, as well as an adjunct associate professor at the University of Minnesota Law School and Mitchell Hamline School of Law, where he teaches courses on cybersecurity law. Mr. Montoya is also an advisor to the Cybersecurity Summit. Previously, he served as a non-commissioned officer in the U.S. Marine Corps.